DMARC failed on rewritten message

[djc]

I'm using postsrsd mostly successfully on my server (with Postfix), which I use to host a number of domains and forward (most of the) incoming mail to some GMail addresses. In order to make sure GMail accepts the forwarded messages, I'm using postsrsd. However, today I noticed that messages from a domain registrar are being rejected by GMail:

550-5.7.1 Unauthenticated email from registrar.tld is not accepted due to domain's
550-5.7.1 DMARC policy. Please contact the administrator of registrar.tld domain
550-5.7.1 if this was a legitimate mail. Please visit
550-5.7.1  https://support.google.com/mail/answer/2451690 to learn about the
550 5.7.1 DMARC initiative. t12si1955806edi.28

In the server logs, I see that the Return-Path is correctly rewritten: srs_forward: <support@registrar.tld> rewritten as <SRS0=8CcT=FX=registrar.tld=support@example.td>.

I'm using the recommended postfix config from the README:

# postsrsd
sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient,header_recipient

My hypothesis is that, because the Sender and From addresses are not rewritten, the DMARC checks fail. I tried to add header_sender to the postfix config, but that doesn't seem to have helped. Any suggestions for if/how postsrsd can help with this problem?

[roehling]

From my understanding, DMARC passes if at least one of two conditions is met:

• the sender's IP address is SPF validated, and the From header domain matches the SMTP MAIL FROM domain
• there is a valid DKIM signature, and the From header domain matches the DKIM signature domain

Clearly, forwarding breaks the first condition, but if you keep the original DKIM signature, the second condition should still hold and the DMARC check pass. Just make sure that you do not accidentally replace the original DKIM signature with your own.

[djc]

This message doesn't have a DKIM signature. As the From header doesn't match the SMTP MAIL FROM domain (it was not rewritten by postsrsd), the receiving server would then rightfully refuse it.

[roehling]

If you ask me, deploying a reject DMARC policy without routinely signing outgoing mails with DKIM is asking for trouble, for the exact reason you're encountering now. This is something that has to be fixed by registar.tld, so I would file a bug report with them.

Theoretically, messing with the From: header could help, but this will introduce all kinds of side effects, most notably it will leak the ephemeral SRS addresses in a user-visible way; the addresses might end up in someone's address book, even though they will stop working after a few days.

[djc]

That makes a lot of sense. Thanks for the explanation!